<!doctype html>
<html lang="zh-CN">
<head>

    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    
    <meta name="referrer" content="no-referrer-when-downgrade">
    

    <title>java编码安全 | Anttu&#39;s Blog</title>
    <meta property="og:title" content="java编码安全 - Anttu&#39;s Blog">
    <meta property="og:type" content="article">
        
    <meta property="article:published_time" content='2021-09-30T00:29:47&#43;08:00'>
        
        
    <meta property="article:modified_time" content='2021-09-30T00:29:47&#43;08:00'>
        
    <meta name="Keywords" content="golang,go语言,go语言笔记,anttu,java,博客,bash,linux笔记,python笔记,公众号,小程序">
    <meta name="description" content="java编码安全">
        
    <meta name="author" content="Anttu">
    <meta property="og:url" content="https://anttu.gitee.io/post/2021-09-30-safe_coding_java/">
    <link rel="shortcut icon" href='/favicon.ico'  type="image/x-icon">

    <link rel="stylesheet" href='/css/normalize.css'>
    <link rel="stylesheet" href='/css/style.css'>
    <script type="text/javascript" src="//cdn.bootcdn.net/ajax/libs/jquery/3.4.1/jquery.min.js"></script>

    
    
    
    
    
    
        <link rel="stylesheet" href='/css/asciinema-player.css'>
    
</head>


<body>
    <header id="header" class="clearfix">
    <div class="container">
        <div class="col-group">
            <div class="site-name ">
                
                    <a id="logo" href="https://anttu.gitee.io/">
                        Anttu&#39;s Blog
                    </a>
                
                <p class="description">一位Java开发者，喜欢研究技术，同时也在学习Golang和Python中，对服务器、Linux使用比较熟悉。欢迎添加技术交流QQ群：655158296</p>
            </div>
            <div>
                <nav id="nav-menu" class="clearfix">
                    <a class="current" href="https://anttu.gitee.io/">首页</a>
                    
                    <a  href="https://anttu.gitee.io/archives/" title="归档">归档</a>
                    
                    <a  href="https://anttu.gitee.io/tags/" title="分类">分类</a>
                    
                    <a  href="https://anttu.gitee.io/about/" title="关于">关于</a>
                    
                </nav>
            </div>
        </div>
    </div>
</header>

    <div id="body">
        <div class="container">
            <div class="col-group">

                <div class="col-8" id="main">
                    
<div class="res-cons">
    <style type="text/css">
    .post-toc {
        position: fixed;
        width: 200px;
        margin-left: -210px;
        padding: 5px 10px;
        font-family: Athelas, STHeiti, Microsoft Yahei, serif;
        font-size: 12px;
        border: 1px solid rgba(0, 0, 0, .07);
        border-radius: 5px;
        background-color: rgba(255, 255, 255, 0.98);
        background-clip: padding-box;
        -webkit-box-shadow: 1px 1px 2px rgba(0, 0, 0, .125);
        box-shadow: 1px 1px 2px rgba(0, 0, 0, .125);
        word-wrap: break-word;
        white-space: nowrap;
        -webkit-box-sizing: border-box;
        box-sizing: border-box;
        z-index: 999;
        cursor: pointer;
        max-height: 70%;
        overflow-y: auto;
        overflow-x: hidden;
    }

    .post-toc .post-toc-title {
        width: 100%;
        margin: 0 auto;
        font-size: 20px;
        font-weight: 400;
        text-transform: uppercase;
        text-align: center;
    }

    .post-toc .post-toc-content {
        font-size: 15px;
    }

    .post-toc .post-toc-content>nav>ul {
        margin: 10px 0;
    }

    .post-toc .post-toc-content ul {
        padding-left: 20px;
        list-style: square;
        margin: 0.5em;
        line-height: 1.8em;
    }

    .post-toc .post-toc-content ul ul {
        padding-left: 15px;
        display: none;
    }

    @media print,
    screen and (max-width:1057px) {
        .post-toc {
            display: none;
        }
    }
</style>
<div class="post-toc" style="position: absolute; top: 188px;">
    <h2 class="post-toc-title">文章目录</h2>
    <div class="post-toc-content">
        <nav id="TableOfContents">
  <ul>
    <li>
      <ul>
        <li></li>
      </ul>
    </li>
    <li><a href="#11-数据持久化">1.1 数据持久化</a>
      <ul>
        <li><a href="#111必须sql语句默认使用预编译并绑定变量">1.1.1【必须】SQL语句默认使用预编译并绑定变量</a></li>
        <li><a href="#112必须白名单过滤">1.1.2【必须】白名单过滤</a></li>
      </ul>
    </li>
    <li><a href="#12-文件操作">1.2 文件操作</a>
      <ul>
        <li><a href="#121必须文件类型限制">1.2.1【必须】文件类型限制</a></li>
        <li><a href="#122必须禁止外部文件存储于可执行目录">1.2.2【必须】禁止外部文件存储于可执行目录</a></li>
        <li><a href="#123建议避免路径拼接">1.2.3【建议】避免路径拼接</a></li>
        <li><a href="#124必须避免路径穿越">1.2.4【必须】避免路径穿越</a></li>
      </ul>
    </li>
    <li><a href="#13-网络访问">1.3 网络访问</a>
      <ul>
        <li><a href="#131必须避免直接访问不可信地址">1.3.1【必须】避免直接访问不可信地址</a></li>
      </ul>
    </li>
    <li><a href="#14-xml读写">1.4 XML读写</a>
      <ul>
        <li><a href="#141必须xml解析器关闭dtd解析">1.4.1【必须】XML解析器关闭DTD解析</a></li>
      </ul>
    </li>
    <li><a href="#15-响应输出">1.5 响应输出</a>
      <ul>
        <li><a href="#151必须设置正确的http响应包类型">1.5.1【必须】设置正确的HTTP响应包类型</a></li>
        <li><a href="#152建议设置安全的http响应头">1.5.2【建议】设置安全的HTTP响应头</a></li>
        <li><a href="#153必须外部输入拼接到response页面前进行编码处理">1.5.3【必须】外部输入拼接到response页面前进行编码处理</a></li>
        <li><a href="#154必须外部输入拼接到http响应头中需进行过滤">1.5.4【必须】外部输入拼接到HTTP响应头中需进行过滤</a></li>
        <li><a href="#155必须避免不可信域名的302跳转">1.5.5【必须】避免不可信域名的302跳转</a></li>
        <li><a href="#156必须避免通过jsonp传输非公开敏感信息">1.5.6【必须】避免通过Jsonp传输非公开敏感信息</a></li>
        <li><a href="#157必须限定jsonp接口的callback字符集范围">1.5.7【必须】限定JSONP接口的callback字符集范围</a></li>
        <li><a href="#158必须屏蔽异常栈">1.5.8【必须】屏蔽异常栈</a></li>
        <li><a href="#159必须模板表达式">1.5.9【必须】模板&amp;表达式</a></li>
      </ul>
    </li>
    <li><a href="#16-os命令执行">1.6 OS命令执行</a>
      <ul>
        <li><a href="#161建议避免不可信数据拼接操作系统命令">1.6.1【建议】避免不可信数据拼接操作系统命令</a></li>
        <li><a href="#162必须避免创建shell操作">1.6.2【必须】避免创建SHELL操作</a></li>
      </ul>
    </li>
    <li><a href="#17-会话管理">1.7 会话管理</a>
      <ul>
        <li><a href="#171必须非一次有效身份凭证禁止在url中传输">1.7.1【必须】非一次有效身份凭证禁止在URL中传输</a></li>
        <li><a href="#172必须避免未经校验的数据直接给会话赋值">1.7.2【必须】避免未经校验的数据直接给会话赋值</a></li>
      </ul>
    </li>
    <li><a href="#18-加解密">1.8 加解密</a>
      <ul>
        <li><a href="#181建议对称加密">1.8.1【建议】对称加密</a></li>
        <li><a href="#182建议非对称加密">1.8.2【建议】非对称加密</a></li>
        <li><a href="#183建议哈希算法">1.8.3【建议】哈希算法</a></li>
        <li><a href="#184建议密码存储策略">1.8.4【建议】密码存储策略</a></li>
      </ul>
    </li>
    <li><a href="#19-查询业务">1.9 查询业务</a>
      <ul>
        <li><a href="#191必须返回信息最小化">1.9.1【必须】返回信息最小化</a></li>
        <li><a href="#192必须个人敏感信息脱敏展示">1.9.2【必须】个人敏感信息脱敏展示</a></li>
        <li><a href="#193必须数据权限校验">1.9.3【必须】数据权限校验</a></li>
      </ul>
    </li>
    <li><a href="#110-操作业务">1.10 操作业务</a>
      <ul>
        <li><a href="#1101必须部署csrf防御机制">1.10.1【必须】部署CSRF防御机制</a></li>
        <li><a href="#1102必须权限校验">1.10.2【必须】权限校验</a></li>
        <li><a href="#1103建议加锁操作">1.10.3【建议】加锁操作</a></li>
      </ul>
    </li>
  </ul>
</nav>
    </div>
</div>
<script type="text/javascript">
    $(document).ready(function () {
        var postToc = $(".post-toc");
        if (postToc.length) {
            var leftPos = $("#main").offset().left;
            if (leftPos < 220) {
                postToc.css({ "width": leftPos - 10, "margin-left": (0 - leftPos) })
            }

            var t = postToc.offset().top - 20,
                a = {
                    start: {
                        position: "absolute",
                        top: t
                    },
                    process: {
                        position: "fixed",
                        top: 20
                    },
                };
            $(window).scroll(function () {
                var e = $(window).scrollTop();
                e < t ? postToc.css(a.start) : postToc.css(a.process)
            })
        }

        if ($("#TableOfContents").children().length < 1) {
            $(".post-toc").remove();
        }
    })
</script>
    <article class="post">
        <header>
            <h1 class="post-title">java编码安全</h1>
        </header>
        <date class="post-meta meta-date">
            2021年9月30日
        </date>
        
        <div class="post-meta">
            <span>|</span>
            
            <span class="meta-category">
                <a href='/categories/java' target="_blank">java</a>
            </span>
            
            <span class="meta-category">
                <a href='/categories/safe' target="_blank">safe</a>
            </span>
            
        </div>
        
        
        <div class="post-meta">
            <span id="busuanzi_container_page_pv">|<span id="busuanzi_value_page_pv"></span><span>
                    阅读</span></span>
        </div>
        
        
        <div class="clear" style="display: none">
            <div class="toc-article">
                <div class="toc-title">文章目录</div>
            </div>
        </div>
        
        <div class="post-content">
            <h5 id="后端java开发-----转自腾讯github">后端java开发  &ndash; 转自腾讯github</h5>
<h2 id="11-数据持久化">1.1 数据持久化</h2>
<h3 id="111必须sql语句默认使用预编译并绑定变量">1.1.1【必须】SQL语句默认使用预编译并绑定变量</h3>
<p>Web后台系统应默认使用预编译绑定变量的形式创建sql语句，保持查询语句和数据相分离。以从本质上避免SQL注入风险。</p>
<p>如使用Mybatis作为持久层框架，应通过#{}语法进行参数绑定，MyBatis 会创建 <code>PreparedStatement</code> 参数占位符，并通过占位符安全地设置参数。</p>
<p>示例：JDBC</p>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">3
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">4
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">5
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-java" data-lang="java"><span style="display:flex;"><span>String custname <span style="color:#000;font-weight:bold">=</span> request<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">getParameter</span><span style="color:#000;font-weight:bold">(</span><span style="color:#d14">&#34;name&#34;</span><span style="color:#000;font-weight:bold">);</span> 
</span></span><span style="display:flex;"><span>String query <span style="color:#000;font-weight:bold">=</span> <span style="color:#d14">&#34;SELECT * FROM user_data WHERE user_name = ? &#34;</span><span style="color:#000;font-weight:bold">;</span>
</span></span><span style="display:flex;"><span>PreparedStatement pstmt <span style="color:#000;font-weight:bold">=</span> connection<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">prepareStatement</span><span style="color:#000;font-weight:bold">(</span> query <span style="color:#000;font-weight:bold">);</span>
</span></span><span style="display:flex;"><span>pstmt<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">setString</span><span style="color:#000;font-weight:bold">(</span> 1<span style="color:#000;font-weight:bold">,</span> custname<span style="color:#000;font-weight:bold">);</span> 
</span></span><span style="display:flex;"><span>ResultSet results <span style="color:#000;font-weight:bold">=</span> pstmt<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">executeQuery</span><span style="color:#000;font-weight:bold">(</span> <span style="color:#000;font-weight:bold">);</span>
</span></span></code></pre></td></tr></table>
</div>
</div><p>Mybatis</p>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">3
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-java" data-lang="java"><span style="display:flex;"><span><span style="color:#000;font-weight:bold">&lt;</span>select id<span style="color:#000;font-weight:bold">=</span><span style="color:#d14">&#34;queryRuleIdByApplicationId&#34;</span> parameterType<span style="color:#000;font-weight:bold">=</span><span style="color:#d14">&#34;java.lang.String&#34;</span> resultType<span style="color:#000;font-weight:bold">=</span><span style="color:#d14">&#34;java.lang.String&#34;</span><span style="color:#000;font-weight:bold">&gt;</span>    
</span></span><span style="display:flex;"><span>      select rule_id from scan_rule_sqlmap_tab where application_id<span style="color:#000;font-weight:bold">=</span><span style="color:#a61717;background-color:#e3d2d2">#</span><span style="color:#000;font-weight:bold">{</span>applicationId<span style="color:#000;font-weight:bold">}</span> 
</span></span><span style="display:flex;"><span><span style="color:#000;font-weight:bold">&lt;/</span>select<span style="color:#000;font-weight:bold">&gt;</span>
</span></span></code></pre></td></tr></table>
</div>
</div><p>应避免外部输入未经过滤直接拼接到SQL语句中，或者通过Mybatis中的${}传入SQL语句（即使使用PreparedStatement，SQL语句直接拼接外部输入也同样有风险。</p>
<p>例如Mybatis中部分参数通过${}传入SQL语句后实际执行时调用的是PreparedStatement.execute()，同样存在注入风险）。</p>
<h3 id="112必须白名单过滤">1.1.2【必须】白名单过滤</h3>
<p>对于表名、列名等无法进行预编译的场景，比如外部数据拼接到order by, group by语句中，需通过白名单的形式对数据进行校验，例如判断传入列名是否存在、升降序仅允许输入“ASC”和“DESC”、表名列名仅允许输入字符、数字、下划线等。参考示例：</p>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">3
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-java" data-lang="java"><span style="display:flex;"><span><span style="color:#000;font-weight:bold">public</span> String <span style="color:#900;font-weight:bold">someMethod</span><span style="color:#000;font-weight:bold">(</span><span style="color:#458;font-weight:bold">boolean</span> sortOrder<span style="color:#000;font-weight:bold">)</span> <span style="color:#000;font-weight:bold">{</span>
</span></span><span style="display:flex;"><span> String SQLquery <span style="color:#000;font-weight:bold">=</span> <span style="color:#d14">&#34;some SQL ... order by Salary &#34;</span> <span style="color:#000;font-weight:bold">+</span> <span style="color:#000;font-weight:bold">(</span>sortOrder <span style="color:#000;font-weight:bold">?</span> <span style="color:#d14">&#34;ASC&#34;</span> <span style="color:#000;font-weight:bold">:</span> <span style="color:#d14">&#34;DESC&#34;</span><span style="color:#000;font-weight:bold">);</span><span style="color:#a61717;background-color:#e3d2d2">`</span>
</span></span><span style="display:flex;"><span> <span style="color:#000;font-weight:bold">...</span>
</span></span></code></pre></td></tr></table>
</div>
</div><p><a id="2.1.2"></a></p>
<h2 id="12-文件操作">1.2 文件操作</h2>
<h3 id="121必须文件类型限制">1.2.1【必须】文件类型限制</h3>
<p>须在服务器端采用白名单方式对上传或下载的文件类型、大小进行严格的限制。仅允许业务所需文件类型上传，避免上传.jsp、.jspx、.class、.java等可执行文件。参考示例：</p>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 1
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 2
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 3
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 4
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 5
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 6
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 7
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 8
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 9
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">10
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">11
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">12
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">13
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">14
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">15
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">16
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">17
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">18
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">19
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">20
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-java" data-lang="java"><span style="display:flex;"><span>       String file_name <span style="color:#000;font-weight:bold">=</span> file<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">getOriginalFilename</span><span style="color:#000;font-weight:bold">();</span>
</span></span><span style="display:flex;"><span>        String<span style="color:#000;font-weight:bold">[]</span> parts <span style="color:#000;font-weight:bold">=</span> file_name<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">split</span><span style="color:#000;font-weight:bold">(</span><span style="color:#d14">&#34;\\.&#34;</span><span style="color:#000;font-weight:bold">);</span>
</span></span><span style="display:flex;"><span>        String suffix <span style="color:#000;font-weight:bold">=</span> parts<span style="color:#000;font-weight:bold">[</span>parts<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">length</span> <span style="color:#000;font-weight:bold">-</span> 1<span style="color:#000;font-weight:bold">];</span>
</span></span><span style="display:flex;"><span>        <span style="color:#000;font-weight:bold">switch</span> <span style="color:#000;font-weight:bold">(</span>suffix<span style="color:#000;font-weight:bold">){</span>
</span></span><span style="display:flex;"><span>            <span style="color:#000;font-weight:bold">case</span> <span style="color:#d14">&#34;jpeg&#34;</span><span style="color:#000;font-weight:bold">:</span>
</span></span><span style="display:flex;"><span>                suffix <span style="color:#000;font-weight:bold">=</span> <span style="color:#d14">&#34;.jpeg&#34;</span><span style="color:#000;font-weight:bold">;</span>
</span></span><span style="display:flex;"><span>                <span style="color:#000;font-weight:bold">break</span><span style="color:#000;font-weight:bold">;</span>
</span></span><span style="display:flex;"><span>            <span style="color:#000;font-weight:bold">case</span> <span style="color:#d14">&#34;jpg&#34;</span><span style="color:#000;font-weight:bold">:</span>
</span></span><span style="display:flex;"><span>                suffix <span style="color:#000;font-weight:bold">=</span> <span style="color:#d14">&#34;.jpg&#34;</span><span style="color:#000;font-weight:bold">;</span>
</span></span><span style="display:flex;"><span>                <span style="color:#000;font-weight:bold">break</span><span style="color:#000;font-weight:bold">;</span>
</span></span><span style="display:flex;"><span>            <span style="color:#000;font-weight:bold">case</span> <span style="color:#d14">&#34;bmp&#34;</span><span style="color:#000;font-weight:bold">:</span>
</span></span><span style="display:flex;"><span>                suffix <span style="color:#000;font-weight:bold">=</span> <span style="color:#d14">&#34;.bmp&#34;</span><span style="color:#000;font-weight:bold">;</span>
</span></span><span style="display:flex;"><span>                <span style="color:#000;font-weight:bold">break</span><span style="color:#000;font-weight:bold">;</span>
</span></span><span style="display:flex;"><span>            <span style="color:#000;font-weight:bold">case</span> <span style="color:#d14">&#34;png&#34;</span><span style="color:#000;font-weight:bold">:</span>
</span></span><span style="display:flex;"><span>                suffix <span style="color:#000;font-weight:bold">=</span> <span style="color:#d14">&#34;.png&#34;</span><span style="color:#000;font-weight:bold">;</span>
</span></span><span style="display:flex;"><span>                <span style="color:#000;font-weight:bold">break</span><span style="color:#000;font-weight:bold">;</span>
</span></span><span style="display:flex;"><span>            <span style="color:#000;font-weight:bold">default</span><span style="color:#000;font-weight:bold">:</span>
</span></span><span style="display:flex;"><span>                <span style="color:#998;font-style:italic">//handle error
</span></span></span><span style="display:flex;"><span><span style="color:#998;font-style:italic"></span>                <span style="color:#000;font-weight:bold">return</span> <span style="color:#d14">&#34;error&#34;</span><span style="color:#000;font-weight:bold">;</span>
</span></span><span style="display:flex;"><span>        <span style="color:#000;font-weight:bold">}</span>
</span></span></code></pre></td></tr></table>
</div>
</div><h3 id="122必须禁止外部文件存储于可执行目录">1.2.2【必须】禁止外部文件存储于可执行目录</h3>
<p>禁止外部文件存储于WEB容器的可执行目录（appBase）。建议保存在专门的文件服务器中。</p>
<h3 id="123建议避免路径拼接">1.2.3【建议】避免路径拼接</h3>
<p>文件目录避免外部参数拼接。保存文件目录建议后台写死并对文件名进行校验（字符类型、长度）。建议文件保存时，将文件名替换为随机字符串。</p>
<h3 id="124必须避免路径穿越">1.2.4【必须】避免路径穿越</h3>
<p>如因业务需要不能满足1.2.3的要求，文件路径、文件命中拼接了不可行数据，需判断请求文件名和文件路径参数中是否存在../或..\(仅windows)， 如存在应判定路径非法并拒绝请求。</p>
<p><a id="2.1.3"></a></p>
<h2 id="13-网络访问">1.3 网络访问</h2>
<h3 id="131必须避免直接访问不可信地址">1.3.1【必须】避免直接访问不可信地址</h3>
<p>服务器访问不可信地址时，禁止访问私有地址段及内网域名。</p>
<pre tabindex="0"><code>// 以RFC定义的专有网络为例，如有自定义私有网段亦应加入禁止访问列表。
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
127.0.0.0/8
</code></pre><p>建议通过URL解析函数进行解析，获取host或者domain后通过DNS获取其IP，然后和内网地址进行比较。</p>
<p>对已校验通过地址进行访问时，应关闭跟进跳转功能。</p>
<p>参考示例：</p>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">3
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-java" data-lang="java"><span style="display:flex;"><span>     httpConnection <span style="color:#000;font-weight:bold">=</span> <span style="color:#000;font-weight:bold">(</span>HttpURLConnection<span style="color:#000;font-weight:bold">)</span> Url<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">openConnection</span><span style="color:#000;font-weight:bold">();</span>
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>     httpConnection<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">setFollowRedirects</span><span style="color:#000;font-weight:bold">(</span><span style="color:#000;font-weight:bold">false</span><span style="color:#000;font-weight:bold">);</span>
</span></span></code></pre></td></tr></table>
</div>
</div><p><a id="2.1.4"></a></p>
<h2 id="14-xml读写">1.4 XML读写</h2>
<h3 id="141必须xml解析器关闭dtd解析">1.4.1【必须】XML解析器关闭DTD解析</h3>
<p>读取外部传入XML文件时，XML解析器初始化过程中设置关闭DTD解析。</p>
<p>参考示例：</p>
<p>javax.xml.parsers.DocumentBuilderFactory</p>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 1
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 2
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 3
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 4
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 5
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 6
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 7
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 8
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 9
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">10
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-java" data-lang="java"><span style="display:flex;"><span>DocumentBuilderFactory dbf <span style="color:#000;font-weight:bold">=</span> DocumentBuilderFactory<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">newInstance</span><span style="color:#000;font-weight:bold">();</span>
</span></span><span style="display:flex;"><span><span style="color:#000;font-weight:bold">try</span> <span style="color:#000;font-weight:bold">{</span>
</span></span><span style="display:flex;"><span>    dbf<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">setFeature</span><span style="color:#000;font-weight:bold">(</span><span style="color:#d14">&#34;http://apache.org/xml/features/disallow-doctype-decl&#34;</span><span style="color:#000;font-weight:bold">,</span> <span style="color:#000;font-weight:bold">true</span><span style="color:#000;font-weight:bold">);</span>
</span></span><span style="display:flex;"><span>    dbf<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">setFeature</span><span style="color:#000;font-weight:bold">(</span><span style="color:#d14">&#34;http://xml.org/sax/features/external-general-entities&#34;</span><span style="color:#000;font-weight:bold">,</span> <span style="color:#000;font-weight:bold">false</span><span style="color:#000;font-weight:bold">);</span>
</span></span><span style="display:flex;"><span>    dbf<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">setFeature</span><span style="color:#000;font-weight:bold">(</span><span style="color:#d14">&#34;http://xml.org/sax/features/external-parameter-entities&#34;</span><span style="color:#000;font-weight:bold">,</span> <span style="color:#000;font-weight:bold">false</span><span style="color:#000;font-weight:bold">);</span>
</span></span><span style="display:flex;"><span>    dbf<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">setFeature</span><span style="color:#000;font-weight:bold">(</span><span style="color:#d14">&#34;http://apache.org/xml/features/nonvalidating/load-external-dtd&#34;</span><span style="color:#000;font-weight:bold">,</span> <span style="color:#000;font-weight:bold">false</span><span style="color:#000;font-weight:bold">);</span>
</span></span><span style="display:flex;"><span>    dbf<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">setXIncludeAware</span><span style="color:#000;font-weight:bold">(</span><span style="color:#000;font-weight:bold">false</span><span style="color:#000;font-weight:bold">);</span>
</span></span><span style="display:flex;"><span>    dbf<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">setExpandEntityReferences</span><span style="color:#000;font-weight:bold">(</span><span style="color:#000;font-weight:bold">false</span><span style="color:#000;font-weight:bold">);</span>
</span></span><span style="display:flex;"><span>    <span style="color:#a61717;background-color:#e3d2d2">……</span>
</span></span><span style="display:flex;"><span><span style="color:#000;font-weight:bold">}</span>
</span></span></code></pre></td></tr></table>
</div>
</div><p>org.dom4j.io.SAXReader</p>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">3
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-java" data-lang="java"><span style="display:flex;"><span>saxReader<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">setFeature</span><span style="color:#000;font-weight:bold">(</span><span style="color:#d14">&#34;http://apache.org/xml/features/disallow-doctype-decl&#34;</span><span style="color:#000;font-weight:bold">,</span> <span style="color:#000;font-weight:bold">true</span><span style="color:#000;font-weight:bold">);</span>
</span></span><span style="display:flex;"><span>saxReader<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">setFeature</span><span style="color:#000;font-weight:bold">(</span><span style="color:#d14">&#34;http://xml.org/sax/features/external-general-entities&#34;</span><span style="color:#000;font-weight:bold">,</span> <span style="color:#000;font-weight:bold">false</span><span style="color:#000;font-weight:bold">);</span>
</span></span><span style="display:flex;"><span>saxReader<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">setFeature</span><span style="color:#000;font-weight:bold">(</span><span style="color:#d14">&#34;http://xml.org/sax/features/external-parameter-entities&#34;</span><span style="color:#000;font-weight:bold">,</span> <span style="color:#000;font-weight:bold">false</span><span style="color:#000;font-weight:bold">);</span>
</span></span></code></pre></td></tr></table>
</div>
</div><p>org.jdom2.input.SAXBuilder</p>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">3
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">4
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">5
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-java" data-lang="java"><span style="display:flex;"><span>SAXBuilder builder <span style="color:#000;font-weight:bold">=</span> <span style="color:#000;font-weight:bold">new</span> SAXBuilder<span style="color:#000;font-weight:bold">();</span>
</span></span><span style="display:flex;"><span>builder<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">setFeature</span><span style="color:#000;font-weight:bold">(</span><span style="color:#d14">&#34;http://apache.org/xml/features/disallow-doctype-decl&#34;</span><span style="color:#000;font-weight:bold">,</span><span style="color:#000;font-weight:bold">true</span><span style="color:#000;font-weight:bold">);</span>
</span></span><span style="display:flex;"><span>builder<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">setFeature</span><span style="color:#000;font-weight:bold">(</span><span style="color:#d14">&#34;http://xml.org/sax/features/external-general-entities&#34;</span><span style="color:#000;font-weight:bold">,</span> <span style="color:#000;font-weight:bold">false</span><span style="color:#000;font-weight:bold">);</span>
</span></span><span style="display:flex;"><span>builder<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">setFeature</span><span style="color:#000;font-weight:bold">(</span><span style="color:#d14">&#34;http://xml.org/sax/features/external-parameter-entities&#34;</span><span style="color:#000;font-weight:bold">,</span> <span style="color:#000;font-weight:bold">false</span><span style="color:#000;font-weight:bold">);</span>
</span></span><span style="display:flex;"><span>Document doc <span style="color:#000;font-weight:bold">=</span> builder<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">build</span><span style="color:#000;font-weight:bold">(</span><span style="color:#000;font-weight:bold">new</span> File<span style="color:#000;font-weight:bold">(</span>fileName<span style="color:#000;font-weight:bold">));</span>
</span></span></code></pre></td></tr></table>
</div>
</div><p>org.xml.sax.XMLReader</p>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">3
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">4
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">5
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-java" data-lang="java"><span style="display:flex;"><span>XMLReader reader <span style="color:#000;font-weight:bold">=</span> XMLReaderFactory<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">createXMLReader</span><span style="color:#000;font-weight:bold">();</span>
</span></span><span style="display:flex;"><span>reader<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">setFeature</span><span style="color:#000;font-weight:bold">(</span><span style="color:#d14">&#34;http://apache.org/xml/features/disallow-doctype-decl&#34;</span><span style="color:#000;font-weight:bold">,</span> <span style="color:#000;font-weight:bold">true</span><span style="color:#000;font-weight:bold">);</span>
</span></span><span style="display:flex;"><span>reader<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">setFeature</span><span style="color:#000;font-weight:bold">(</span><span style="color:#d14">&#34;http://apache.org/xml/features/nonvalidating/load-external-dtd&#34;</span><span style="color:#000;font-weight:bold">,</span> <span style="color:#000;font-weight:bold">false</span><span style="color:#000;font-weight:bold">);</span>
</span></span><span style="display:flex;"><span>reader<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">setFeature</span><span style="color:#000;font-weight:bold">(</span><span style="color:#d14">&#34;http://xml.org/sax/features/external-general-entities&#34;</span><span style="color:#000;font-weight:bold">,</span> <span style="color:#000;font-weight:bold">false</span><span style="color:#000;font-weight:bold">);</span>
</span></span><span style="display:flex;"><span>reader<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">setFeature</span><span style="color:#000;font-weight:bold">(</span><span style="color:#d14">&#34;http://xml.org/sax/features/external-parameter-entities&#34;</span><span style="color:#000;font-weight:bold">,</span> <span style="color:#000;font-weight:bold">false</span><span style="color:#000;font-weight:bold">);</span>
</span></span></code></pre></td></tr></table>
</div>
</div><p><a id="2.1.5"></a></p>
<h2 id="15-响应输出">1.5 响应输出</h2>
<h3 id="151必须设置正确的http响应包类型">1.5.1【必须】设置正确的HTTP响应包类型</h3>
<p>响应包的HTTP头“Content-Type”必须正确配置响应包的类型，禁止非HTML类型的响应包设置为“text/html”。此举会使浏览器在直接访问链接时，将非HTML格式的返回报文当做HTML解析，增加反射型XSS的触发几率。</p>
<h3 id="152建议设置安全的http响应头">1.5.2【建议】设置安全的HTTP响应头</h3>
<ul>
<li>X-Content-Type-Options：</li>
</ul>
<p>​        建议添加“X-Content-Type-Options”响应头并将其值设置为“nosniff”，可避免部分浏览器根据其“Content-Sniff”特性，将一些非“text/html”类型的响应作为HTML解析，增加反射型XSS的触发几率。</p>
<ul>
<li>HttpOnly：</li>
</ul>
<p>​         控制用户登录鉴权的Cookie字段 应当设置HttpOnly属性以防止被XSS漏洞/JavaScript操纵泄漏。</p>
<ul>
<li>X-Frame-Options：</li>
</ul>
<p>​        设置X-Frame-Options响应头，并根据需求合理设置其允许范围。该头用于指示浏览器禁止当前页面在frame、iframe、embed等标签中展现。从而避免点击劫持问题。它有三个可选的值：
​        DENY： 浏览器会拒绝当前页面加载任何frame页面；
​		SAMEORIGIN：则frame页面的地址只能为同源域名下的页面
​		ALLOW-FROM origin：可以定义允许frame加载的页面地址。</p>
<ul>
<li>
<p>Access-Control-Allow-Origin</p>
<p>当需要配置CORS跨域时，应对请求头的Origin值做严格过滤。</p>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">3
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">4
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">5
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">6
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-java" data-lang="java"><span style="display:flex;"><span><span style="color:#000;font-weight:bold">...</span>
</span></span><span style="display:flex;"><span>String currentOrigin <span style="color:#000;font-weight:bold">=</span> request<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">getHeader</span><span style="color:#000;font-weight:bold">(</span><span style="color:#d14">&#34;Origin&#34;</span><span style="color:#000;font-weight:bold">);</span>
</span></span><span style="display:flex;"><span><span style="color:#000;font-weight:bold">if</span> <span style="color:#000;font-weight:bold">(</span>currentOrigin<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">equals</span><span style="color:#000;font-weight:bold">(</span><span style="color:#d14">&#34;https://domain.qq.com&#34;</span><span style="color:#000;font-weight:bold">))</span> <span style="color:#000;font-weight:bold">{</span>
</span></span><span style="display:flex;"><span>       response<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">setHeader</span><span style="color:#000;font-weight:bold">(</span><span style="color:#d14">&#34;Access-Control-Allow-Origin&#34;</span><span style="color:#000;font-weight:bold">,</span> currentOrigin<span style="color:#000;font-weight:bold">);</span>
</span></span><span style="display:flex;"><span>           <span style="color:#000;font-weight:bold">}</span>
</span></span><span style="display:flex;"><span> <span style="color:#000;font-weight:bold">...</span>
</span></span></code></pre></td></tr></table>
</div>
</div></li>
</ul>
<h3 id="153必须外部输入拼接到response页面前进行编码处理">1.5.3【必须】外部输入拼接到response页面前进行编码处理</h3>
<p>当响应“content-type”为“html”类型时，外部输入拼接到响应包中，需根据输出位置进行编码处理。编码规则：</p>
<table>
<thead>
<tr>
<th>场景</th>
<th>编码规则</th>
</tr>
</thead>
<tbody>
<tr>
<td>输出点在HTML标签之间</td>
<td>需要对以下6个特殊字符进行HTML实体编码(&amp;, &lt;, &gt;, &ldquo;, &lsquo;,/)。<br/>示例：<br/>&amp; &ndash;&gt; &amp;amp;<br/>&lt; &ndash;&gt; &amp;lt;<br/>&gt;&ndash;&gt; &amp;gt;<br/>&rdquo; &ndash;&gt; &amp;quot;<br/>&rsquo; &ndash;&gt; &amp;#x27;  <br/>/ &ndash;&gt; &amp;#x2F;</td>
</tr>
<tr>
<td>输出点在HTML标签普通属性内（如href、src、style等，on事件除外）</td>
<td>要对数据进行HTML属性编码。<br/>编码规则：除了阿拉伯数字和字母，对其他所有的字符进行编码，只要该字符的ASCII码小于256。编码后输出的格式为&amp;#xHH;(以&amp;#x开头，HH则是指该字符对应的十六进制数字，分号作为结束符)</td>
</tr>
<tr>
<td>输出点在JS内的数据中</td>
<td>需要进行js编码<br/>编码规则：<br/>除了阿拉伯数字和字母，对其他所有的字符进行编码，只要该字符的ASCII码小于256。编码后输出的格式为 \xHH （以 \x 开头，HH则是指该字符对应的十六进制数字）<br/>Tips：这种场景仅限于外部数据拼接在js里被引号括起来的变量值中。除此之外禁止直接将代码拼接在js代码中。</td>
</tr>
<tr>
<td>输出点在CSS中（Style属性）</td>
<td>需要进行CSS编码<br/>编码规则：<br/>除了阿拉伯数字和字母，对其他所有的字符进行编码，只要该字符的ASCII码小于256。编码后输出的格式为 \HH （以 \ 开头，HH则是指该字符对应的十六进制数字）</td>
</tr>
<tr>
<td>输出点在URL属性中</td>
<td>对这些数据进行URL编码<br/>Tips：除此之外，所有链接类属性应该校验其协议。禁止JavaScript、data和Vb伪协议。</td>
</tr>
</tbody>
</table>
<p>以上编码规则相对较为繁琐，可参考或直接使用业界已有成熟第三方库如ESAPI.其提供以下函数对象上表中的编码规则:</p>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">3
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">4
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">5
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-java" data-lang="java"><span style="display:flex;"><span>ESAPI<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">encoder</span><span style="color:#000;font-weight:bold">().</span><span style="color:#008080">encodeForHTML</span><span style="color:#000;font-weight:bold">();</span>
</span></span><span style="display:flex;"><span>ESAPI<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">encoder</span><span style="color:#000;font-weight:bold">().</span><span style="color:#008080">encodeForHTMLAttribute</span><span style="color:#000;font-weight:bold">();</span>
</span></span><span style="display:flex;"><span>ESAPI<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">encoder</span><span style="color:#000;font-weight:bold">().</span><span style="color:#008080">encodeForJavaScript</span><span style="color:#000;font-weight:bold">();</span>
</span></span><span style="display:flex;"><span>ESAPI<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">encoder</span><span style="color:#000;font-weight:bold">().</span><span style="color:#008080">encodeForCSS</span><span style="color:#000;font-weight:bold">();</span>
</span></span><span style="display:flex;"><span>ESAPI<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">encoder</span><span style="color:#000;font-weight:bold">().</span><span style="color:#008080">encodeForURL</span><span style="color:#000;font-weight:bold">();</span>
</span></span></code></pre></td></tr></table>
</div>
</div><h3 id="154必须外部输入拼接到http响应头中需进行过滤">1.5.4【必须】外部输入拼接到HTTP响应头中需进行过滤</h3>
<p>应尽量避免外部可控参数拼接到HTTP响应头中，如业务需要则需要过滤掉“\r”、&quot;\n&quot;等换行符，或者拒绝携带换行符号的外部输入。</p>
<h3 id="155必须避免不可信域名的302跳转">1.5.5【必须】避免不可信域名的302跳转</h3>
<p>如果对外部传入域名进行302跳转，必须设置可信域名列表并对传入域名进行校验。</p>
<p>为避免校验被绕过，应避免直接对URL进行字符串匹配。应通过通过URL解析函数进行解析，获取host或者domain后和白名单进行比较。</p>
<p>需要注意的是，由于浏览器的容错机制，域名<code>https://www.qq.com\www.bbb.com</code>中的<code>\</code>会被替换成<code>/</code>，最终跳转到<code>www.qq.com</code>。而Java的域名解析函数则无此特性。为避免解析不一致导致绕过，建议对host中的<code>/</code>和<code>#</code>进行替换。</p>
<p>参考代码：</p>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 1
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 2
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 3
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 4
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 5
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 6
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 7
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 8
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 9
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">10
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">11
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">12
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-java" data-lang="java"><span style="display:flex;"><span>String host<span style="color:#000;font-weight:bold">=</span><span style="color:#d14">&#34;&#34;</span><span style="color:#000;font-weight:bold">;</span>
</span></span><span style="display:flex;"><span>		<span style="color:#000;font-weight:bold">try</span> <span style="color:#000;font-weight:bold">{</span>
</span></span><span style="display:flex;"><span>		    url <span style="color:#000;font-weight:bold">=</span> url<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">replaceAll</span><span style="color:#000;font-weight:bold">(</span><span style="color:#d14">&#34;[\\\\#]&#34;</span><span style="color:#000;font-weight:bold">,</span><span style="color:#d14">&#34;/&#34;</span><span style="color:#000;font-weight:bold">);</span> <span style="color:#998;font-style:italic">//替换掉反斜线和井号
</span></span></span><span style="display:flex;"><span><span style="color:#998;font-style:italic"></span>		    host <span style="color:#000;font-weight:bold">=</span> <span style="color:#000;font-weight:bold">new</span> URL<span style="color:#000;font-weight:bold">(</span>url<span style="color:#000;font-weight:bold">).</span><span style="color:#008080">getHost</span><span style="color:#000;font-weight:bold">();</span>  
</span></span><span style="display:flex;"><span>		<span style="color:#000;font-weight:bold">}</span> <span style="color:#000;font-weight:bold">catch</span> <span style="color:#000;font-weight:bold">(</span>MalformedURLException e<span style="color:#000;font-weight:bold">)</span> <span style="color:#000;font-weight:bold">{</span>
</span></span><span style="display:flex;"><span>		    e<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">printStackTrace</span><span style="color:#000;font-weight:bold">();</span>
</span></span><span style="display:flex;"><span>		<span style="color:#000;font-weight:bold">}</span>
</span></span><span style="display:flex;"><span>		<span style="color:#000;font-weight:bold">if</span> <span style="color:#000;font-weight:bold">(</span>host<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">endsWith</span><span style="color:#000;font-weight:bold">(</span><span style="color:#d14">&#34;.qq.com&#34;</span><span style="color:#000;font-weight:bold">)){</span>
</span></span><span style="display:flex;"><span>			<span style="color:#998;font-style:italic">//跳转操作
</span></span></span><span style="display:flex;"><span><span style="color:#998;font-style:italic"></span>		<span style="color:#000;font-weight:bold">}</span><span style="color:#000;font-weight:bold">else</span><span style="color:#000;font-weight:bold">{</span>
</span></span><span style="display:flex;"><span>			<span style="color:#000;font-weight:bold">return</span><span style="color:#000;font-weight:bold">;</span>
</span></span><span style="display:flex;"><span>		<span style="color:#000;font-weight:bold">}</span>
</span></span></code></pre></td></tr></table>
</div>
</div><h3 id="156必须避免通过jsonp传输非公开敏感信息">1.5.6【必须】避免通过Jsonp传输非公开敏感信息</h3>
<p>jsonp请求再被CSRF攻击时，其响应包可被攻击方劫持导致信息泄露。应避免通过jsonp传输非公开的敏感信息，例如用户隐私信息、身份凭证等。</p>
<h3 id="157必须限定jsonp接口的callback字符集范围">1.5.7【必须】限定JSONP接口的callback字符集范围</h3>
<p>JSONP接口的callback函数名为固定白名单。如callback函数名可用户自定义，应限制函数名仅包含 字母、数字和下划线。如：<code>[a-zA-Z0-9_-]+</code></p>
<h3 id="158必须屏蔽异常栈">1.5.8【必须】屏蔽异常栈</h3>
<p>应用程序出现异常时，禁止将数据库版本、数据库结构、操作系统版本、堆栈跟踪、文件名和路径信息、SQL 查询字符串等对攻击者有用的信息返回给客户端。建议重定向到一个统一、默认的错误提示页面，进行信息过滤。</p>
<h3 id="159必须模板表达式">1.5.9【必须】模板&amp;表达式</h3>
<p>web view层通常通过模板技术或者表达式引擎来实现界面与业务数据分离，比如jsp中的EL表达式。这些引擎通常可执行敏感操作，如果外部不可信数据未经过滤拼接到表达式中进行解析。则可能造成严重漏洞。</p>
<p>下列是基于EL表达式注入漏洞的演示demo：</p>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">3
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">4
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">5
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">6
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">7
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">8
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">9
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-java" data-lang="java"><span style="display:flex;"><span>	<span style="color:#3c5d5d;font-weight:bold">@RequestMapping</span><span style="color:#000;font-weight:bold">(</span><span style="color:#d14">&#34;/ELdemo&#34;</span><span style="color:#000;font-weight:bold">)</span>
</span></span><span style="display:flex;"><span>	<span style="color:#3c5d5d;font-weight:bold">@ResponseBody</span>
</span></span><span style="display:flex;"><span>	<span style="color:#000;font-weight:bold">public</span> String <span style="color:#900;font-weight:bold">ELdemo</span><span style="color:#000;font-weight:bold">(</span>RepeatDTO repeat<span style="color:#000;font-weight:bold">)</span> <span style="color:#000;font-weight:bold">{</span>
</span></span><span style="display:flex;"><span>		ExpressionFactory expressionFactory <span style="color:#000;font-weight:bold">=</span> <span style="color:#000;font-weight:bold">new</span> ExpressionFactoryImpl<span style="color:#000;font-weight:bold">();</span>
</span></span><span style="display:flex;"><span>        SimpleContext simpleContext <span style="color:#000;font-weight:bold">=</span> <span style="color:#000;font-weight:bold">new</span> SimpleContext<span style="color:#000;font-weight:bold">();</span>
</span></span><span style="display:flex;"><span>        String exp <span style="color:#000;font-weight:bold">=</span> <span style="color:#d14">&#34;${&#34;</span><span style="color:#000;font-weight:bold">+</span>repeat<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">getel</span><span style="color:#000;font-weight:bold">()+</span><span style="color:#d14">&#34;}&#34;</span><span style="color:#000;font-weight:bold">;</span>
</span></span><span style="display:flex;"><span>        ValueExpression valueExpression <span style="color:#000;font-weight:bold">=</span>       expressionFactory<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">createValueExpression</span><span style="color:#000;font-weight:bold">(</span>simpleContext<span style="color:#000;font-weight:bold">,</span> exp<span style="color:#000;font-weight:bold">,</span> String<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">class</span><span style="color:#000;font-weight:bold">);</span>		
</span></span><span style="display:flex;"><span>		<span style="color:#000;font-weight:bold">return</span> valueExpression<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">getValue</span><span style="color:#000;font-weight:bold">(</span>simpleContext<span style="color:#000;font-weight:bold">).</span><span style="color:#008080">toString</span><span style="color:#000;font-weight:bold">();</span>
</span></span><span style="display:flex;"><span>	<span style="color:#000;font-weight:bold">}</span>
</span></span></code></pre></td></tr></table>
</div>
</div><p>外部可通过el参数，将不可信输入拼接到EL表达式中并解析。</p>
<p>此时外部访问：x.x.x.x/ELdemo?el=”&rsquo;&rsquo;.getClass().forName(&lsquo;java.lang.Runtime&rsquo;).getMethod(&rsquo;exec&rsquo;,&rsquo;&rsquo;.getClass()).invoke(&rsquo;&rsquo;.getClass().forName(&lsquo;java.lang.Runtime&rsquo;).getMethod(&lsquo;getRuntime&rsquo;).invoke(null),&lsquo;open /Applications/Calculator.app&rsquo;)“ 可执行操作系统命令调出计算器。</p>
<p>基于以上风险：</p>
<ul>
<li>应避免外部输入的内容拼接到EL表达式或其他表达式引起、模板引擎进行解析。</li>
<li>白名单过滤外部输入，仅允许字符、数字、下划线等。</li>
</ul>
<p><a id="2.1.6"></a></p>
<h2 id="16-os命令执行">1.6 OS命令执行</h2>
<h3 id="161建议避免不可信数据拼接操作系统命令">1.6.1【建议】避免不可信数据拼接操作系统命令</h3>
<p>当不可信数据存在时，应尽量避免外部数据拼接到操作系统命令使用 <code>Runtime</code> 和 <code>ProcessBuilder</code> 来执行。优先使用其他同类操作进行代替，比如通过文件系统API进行文件操作而非直接调用操作系统命令。</p>
<h3 id="162必须避免创建shell操作">1.6.2【必须】避免创建SHELL操作</h3>
<p>如无法避免直接访问操作系统命令，需要严格管理外部传入参数，使不可信数据仅作为执行命令的参数而非命令。</p>
<ul>
<li>
<p>禁止外部数据直接直接作为操作系统命令执行。</p>
</li>
<li>
<p>避免通过&quot;cmd&quot;、“bash”、“sh”等命令创建shell后拼接外部数据来执行操作系统命令。</p>
</li>
<li>
<p>对外部传入数据进行过滤。可通过白名单限制字符类型，仅允许字符、数字、下划线；或过滤转义以下符号：|;&amp;$&gt;&lt;`（反引号）!</p>
<p>白名单示例：</p>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">3
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">4
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-java" data-lang="java"><span style="display:flex;"><span><span style="color:#000;font-weight:bold">private</span> <span style="color:#000;font-weight:bold">static</span> <span style="color:#000;font-weight:bold">final</span> Pattern FILTER_PATTERN <span style="color:#000;font-weight:bold">=</span> Pattern<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">compile</span><span style="color:#000;font-weight:bold">(</span><span style="color:#d14">&#34;[0-9A-Za-z_]+&#34;</span><span style="color:#000;font-weight:bold">);</span>
</span></span><span style="display:flex;"><span><span style="color:#000;font-weight:bold">if</span> <span style="color:#000;font-weight:bold">(!</span>FILTER_PATTERN<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">matcher</span><span style="color:#000;font-weight:bold">(</span>input<span style="color:#000;font-weight:bold">).</span><span style="color:#008080">matches</span><span style="color:#000;font-weight:bold">())</span> <span style="color:#000;font-weight:bold">{</span>
</span></span><span style="display:flex;"><span>  <span style="color:#998;font-style:italic">// 终止当前请求的处理
</span></span></span><span style="display:flex;"><span><span style="color:#998;font-style:italic"></span><span style="color:#000;font-weight:bold">}</span>
</span></span></code></pre></td></tr></table>
</div>
</div></li>
</ul>
<p><a id="2.1.7"></a></p>
<h2 id="17-会话管理">1.7 会话管理</h2>
<h3 id="171必须非一次有效身份凭证禁止在url中传输">1.7.1【必须】非一次有效身份凭证禁止在URL中传输</h3>
<p>身份凭证禁止在URL中传输，一次有效的身份凭证除外（如CAS中的st）。</p>
<h3 id="172必须避免未经校验的数据直接给会话赋值">1.7.2【必须】避免未经校验的数据直接给会话赋值</h3>
<p>防止会话信息被篡改，如恶意用户通过URL篡改手机号码等。</p>
<p><a id="2.1.8"></a></p>
<h2 id="18-加解密">1.8 加解密</h2>
<h3 id="181建议对称加密">1.8.1【建议】对称加密</h3>
<p>建议使用AES，秘钥长度128位以上。禁止使用DES算法，由于秘钥太短，其为目前已知不安全加密算法。使用AES加密算法请参考以下注意事项：</p>
<ul>
<li>AES算法如果采用CBC模式：每次加密时IV必须采用密码学安全的伪随机发生器（如/dev/urandom）,禁止填充全0等固定值。</li>
<li>AES算法如采用GCM模式，nonce须采用密码学安全的伪随机数</li>
<li>AES算法避免使用ECB模式，推荐使用GCM模式。</li>
</ul>
<h3 id="182建议非对称加密">1.8.2【建议】非对称加密</h3>
<p>建议使用RSA算法，秘钥2048及以上。</p>
<h3 id="183建议哈希算法">1.8.3【建议】哈希算法</h3>
<p>哈希算法推荐使用SHA-2及以上。对于签名场景，应使用HMAC算法。如果采用字符串拼接盐值后哈希的方式，禁止将盐值置于字符串开头，以避免哈希长度拓展攻击。</p>
<h3 id="184建议密码存储策略">1.8.4【建议】密码存储策略</h3>
<p>建议采用随机盐+明文密码进行多轮哈希后存储密码。</p>
<p><a id="2.1.9"></a></p>
<h2 id="19-查询业务">1.9 查询业务</h2>
<h3 id="191必须返回信息最小化">1.9.1【必须】返回信息最小化</h3>
<p>返回用户信息应遵循最小化原则，避免将业务需求之外的用户信息返回到前端。</p>
<h3 id="192必须个人敏感信息脱敏展示">1.9.2【必须】个人敏感信息脱敏展示</h3>
<p>在满足业务需求的情况下，个人敏感信息需脱敏展示,如：</p>
<ul>
<li>鉴权信息（如口令、密保答案、生理标识等）不允许展示</li>
<li>身份证只显示第一位和最后一位字符，如3****************1。</li>
<li>移动电话号码隐藏中间6位字符，如134******48。</li>
<li>工作地址/家庭地址最多显示到“区”一级。</li>
<li>银行卡号仅显示最后4位字符，如************8639</li>
</ul>
<h3 id="193必须数据权限校验">1.9.3【必须】数据权限校验</h3>
<p>查询个人非公开信息时，需要对当前访问账号进行数据权限校验。</p>
<ol>
<li>验证当前用户的登录态</li>
<li>从可信结构中获取经过校验的当前请求账号的身份信息（如：session）。禁止从用户请求参数或Cookie中获取外部传入不可信用户身份直接进行查询。</li>
<li>验当前用户是否具备访问数据的权限</li>
</ol>
<p><a id="2.1.10"></a></p>
<h2 id="110-操作业务">1.10 操作业务</h2>
<h3 id="1101必须部署csrf防御机制">1.10.1【必须】部署CSRF防御机制</h3>
<p>CSRF是指跨站请求伪造（Cross-site request forgery），是web常见的攻击之一。对于可重放的敏感操作请求，需部署CSRF防御机制。可参考以下两种常见的CSRF防御方式</p>
<ul>
<li>
<p>设置CSRF Token</p>
<p>服务端给合法的客户颁发CSRF Token，客户端在发送请求时携带该token供服务端校验，服务端拒绝token验证不通过的请求。以此来防止第三方构造合法的恶意操作链接。Token的作用域可以是Request级或者Session级。下面以Session级CSRF Token进行示例</p>
<ol>
<li>
<p>登录成功后颁发Token，并同时存储在服务端Session中</p>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">3
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">4
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-java" data-lang="java"><span style="display:flex;"><span>String uuidToken <span style="color:#000;font-weight:bold">=</span> UUID<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">randomUUID</span><span style="color:#000;font-weight:bold">().</span><span style="color:#008080">toString</span><span style="color:#000;font-weight:bold">();</span>
</span></span><span style="display:flex;"><span>map<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">put</span><span style="color:#000;font-weight:bold">(</span><span style="color:#d14">&#34;token&#34;</span><span style="color:#000;font-weight:bold">,</span> uuidToken<span style="color:#000;font-weight:bold">);</span>
</span></span><span style="display:flex;"><span>request<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">getSession</span><span style="color:#000;font-weight:bold">().</span><span style="color:#008080">setAttribute</span><span style="color:#000;font-weight:bold">(</span><span style="color:#d14">&#34;token&#34;</span><span style="color:#000;font-weight:bold">,</span>uuidToken <span style="color:#000;font-weight:bold">);</span>
</span></span><span style="display:flex;"><span><span style="color:#000;font-weight:bold">return</span> map<span style="color:#000;font-weight:bold">;</span>
</span></span></code></pre></td></tr></table>
</div>
</div></li>
<li>
<p>创建Filter</p>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">
<table style="border-spacing:0;padding:0;margin:0;border:0;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 1
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 2
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 3
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 4
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 5
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 6
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 7
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 8
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 9
</span><span style="white-space:pre;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">10
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre tabindex="0" style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-java" data-lang="java"><span style="display:flex;"><span><span style="color:#000;font-weight:bold">public</span> <span style="color:#000;font-weight:bold">class</span> <span style="color:#458;font-weight:bold">CsrfFilter</span> <span style="color:#000;font-weight:bold">implements</span> Filter <span style="color:#000;font-weight:bold">{</span>  
</span></span><span style="display:flex;"><span>  <span style="color:#000;font-weight:bold">...</span>
</span></span><span style="display:flex;"><span>   HttpSession session <span style="color:#000;font-weight:bold">=</span> req<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">getSession</span><span style="color:#000;font-weight:bold">();</span>
</span></span><span style="display:flex;"><span>   Object token <span style="color:#000;font-weight:bold">=</span> session<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">getAttribute</span><span style="color:#000;font-weight:bold">(</span><span style="color:#d14">&#34;token&#34;</span><span style="color:#000;font-weight:bold">);</span>
</span></span><span style="display:flex;"><span>   String requestToken <span style="color:#000;font-weight:bold">=</span> req<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">getParameter</span><span style="color:#000;font-weight:bold">(</span><span style="color:#d14">&#34;token&#34;</span><span style="color:#000;font-weight:bold">);</span>
</span></span><span style="display:flex;"><span>   <span style="color:#000;font-weight:bold">if</span><span style="color:#000;font-weight:bold">(</span>StringUtils<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">isBlank</span><span style="color:#000;font-weight:bold">(</span>requestToken<span style="color:#000;font-weight:bold">)</span> <span style="color:#000;font-weight:bold">||</span> <span style="color:#000;font-weight:bold">!</span>requestToken<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">equals</span><span style="color:#000;font-weight:bold">(</span>token<span style="color:#000;font-weight:bold">)){</span>
</span></span><span style="display:flex;"><span>         AjaxResponseWriter<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">write</span><span style="color:#000;font-weight:bold">(</span>req<span style="color:#000;font-weight:bold">,</span> resp<span style="color:#000;font-weight:bold">,</span> ServiceStatusEnum<span style="color:#000;font-weight:bold">.</span><span style="color:#008080">ILLEGAL_TOKEN</span><span style="color:#000;font-weight:bold">,</span> <span style="color:#d14">&#34;非法的token&#34;</span><span style="color:#000;font-weight:bold">);</span>
</span></span><span style="display:flex;"><span>            <span style="color:#000;font-weight:bold">return</span><span style="color:#000;font-weight:bold">;</span>
</span></span><span style="display:flex;"><span>        <span style="color:#000;font-weight:bold">}</span>
</span></span><span style="display:flex;"><span>   <span style="color:#000;font-weight:bold">...</span>
</span></span></code></pre></td></tr></table>
</div>
</div></li>
</ol>
<p>​     CSRF Token应具备随机性，保证其不可预测和枚举。另外由于浏览器会自动对表单所访问的域名添加相应的cookie信息，所以CSRF Token不应该通过Cookie传输。</p>
<p>​</p>
</li>
<li>
<p>校验Referer头</p>
<p>通过检查HTTP请求的Referer字段是否属于本站域名，非本站域名的请求进行拒绝。</p>
<p>这种校验方式需要注意两点：</p>
<ol>
<li>要需要处理Referer为空的情况，当Referer为空则拒绝请求</li>
<li>注意避免例如qq.com.evil.com 部分匹配的情况。</li>
</ol>
</li>
</ul>
<h3 id="1102必须权限校验">1.10.2【必须】权限校验</h3>
<p>对于非公共操作，应当校验当前访问账号进行操作权限（常见于CMS）和数据权限校验。</p>
<ol>
<li>验证当前用户的登录态</li>
<li>从可信结构中获取经过校验的当前请求账号的身份信息（如：session）。禁止从用户请求参数或Cookie中获取外部传入不可信用户身份直接进行查询。</li>
<li>校验当前用户是否具备该操作权限</li>
<li>校验当前用户是否具备所操作数据的权限。避免越权。</li>
</ol>
<h3 id="1103建议加锁操作">1.10.3【建议】加锁操作</h3>
<p>对于有次数限制的操作，比如抽奖。如果操作的过程中资源访问未正确加锁。在高并发的情况下可能造成条件竞争，导致实际操作成功次数多于用户实际操作资格次数。此类操作应加锁处理。</p>

        </div>

        
<div class="post-archive">
    <ul class="post-copyright">
        <li><strong>原文作者：</strong><a rel="author" href="https://anttu.gitee.io/">Anttu</a></li>
        <li style="word-break:break-all"><strong>原文链接：</strong><a href="https://anttu.gitee.io/post/2021-09-30-safe_coding_java/">https://anttu.gitee.io/post/2021-09-30-safe_coding_java/</a></li>
        <li><strong>版权声明：</strong>本作品采用<a rel="license" href="https://creativecommons.org/licenses/by-nc-nd/4.0/">知识共享署名-非商业性使用-禁止演绎 4.0 国际许可协议</a>进行许可，非商业转载请注明出处（作者，原文链接），商业转载请联系作者获得授权。</li>
    </ul>
</div>
<br/>



        

<div class="post-archive">
    <h2>See Also</h2>
    <ul class="listing">
        
        <li><a href="/post/2021-09-19-maven_verify/">maven校验依赖包CVE漏洞</a></li>
        
        <li><a href="/post/2021-08-10-jvm_dump_analyse/">jvm的大dump文件分析</a></li>
        
        <li><a href="/post/2021-07-15-maven_scope/">maven的scope参数</a></li>
        
        <li><a href="/post/2021-06-05-python_faker/">python工具-faker测试数据生成器</a></li>
        
        <li><a href="/post/2021-05-01-system_port/">系统端口速查</a></li>
        
    </ul>
</div>


        <div class="post-meta meta-tags">
            
            没有标签
            
        </div>
    </article>
    
    

    
    
    <div class="post bg-white">
      <script src="https://utteranc.es/client.js"
            repo= "anTtutu/anTtutu.github.io"
            issue-term="pathname"
            theme="github-light"
            crossorigin="anonymous"
            async>
      </script>
    </div>
    
    
    
</div>

                    <footer id="footer">
    <div>
        &copy; 2025 <a href="https://anttu.gitee.io/">Anttu&#39;s Blog By Anttu</a>
        
    </div>
    <br />
    <div>
        <div class="github-badge">
            <a href="https://gohugo.io/" target="_black" rel="nofollow"><span class="badge-subject">Powered by</span><span class="badge-value bg-blue">Hugo</span></a>
        </div>
        
        <div class="github-badge">
            <a href="https://github.com/flysnow-org/maupassant-hugo" target="_black"><span class="badge-subject">Theme</span><span class="badge-value bg-yellowgreen">Maupassant</span></a>
        </div>
    </div>
</footer>


    
    
    <script type="text/javascript">
        window.MathJax = {
            tex2jax: {
                inlineMath: [['$', '$']],
                processEscapes: true
                }
            };
    </script>
    <script src='//cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.5/MathJax.js?config=TeX-MML-AM_CHTML' async></script>

<a id="rocket" href="#top"></a>
<script type="text/javascript" src='/js/totop.js?v=0.0.0' async=""></script>
<style type="text/css">
div.highlight {
    position: relative;
    margin: 1em 0px;
}

.copy-code {
    display: none;
    position: absolute;
    top: 4px;
    right: 4px;
    color: rgba(255, 255, 255, 0.8);
    background: rgba(78, 78, 78, 0.8);
    border-radius: var(--radius);
    padding: 0 5px;
    font: inherit;
    user-select: none;
    cursor: pointer;
    border: 0;
    --radius: 8px;
}

div.highlight:hover .copy-code,pre:hover .copy-code {
    display: block;
}

</style>
<script>
    document.querySelectorAll('pre > code').forEach((codeblock) => {
        const container = codeblock.parentNode.parentNode;

        const copybutton = document.createElement('button');
        copybutton.classList.add('copy-code');
        copybutton.innerHTML = 'copy';

        function copyingDone() {
            copybutton.innerHTML = 'copied!';
            setTimeout(() => {
                copybutton.innerHTML = 'copy';
            }, 2000);
        }

        copybutton.addEventListener('click', (cb) => {
            if ('clipboard' in navigator) {
                navigator.clipboard.writeText(codeblock.textContent);
                copyingDone();
                return;
            }

            const range = document.createRange();
            range.selectNodeContents(codeblock);
            const selection = window.getSelection();
            selection.removeAllRanges();
            selection.addRange(range);
            try {
                document.execCommand('copy');
                copyingDone();
            } catch (e) { };
            selection.removeRange(range);
        });

        if (container.classList.contains("highlight")) {
            container.appendChild(copybutton);
        } else if (container.parentNode.firstChild == container) {
            
        } else if (codeblock.parentNode.parentNode.parentNode.parentNode.parentNode.nodeName == "TABLE") {
            
            codeblock.parentNode.parentNode.parentNode.parentNode.parentNode.appendChild(copybutton);
        } else {
            
            codeblock.parentNode.appendChild(copybutton);
        }
    });
</script>


    <script type="text/javascript" src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js" async></script>




    <script src='/js/asciinema-player.js'></script>

                </div>

                <div id="secondary">
    <section class="widget">
        <form id="search" action='https://anttu.gitee.io/search' method="get" accept-charset="utf-8" target="_blank" _lpchecked="1">
      
      <input type="text" name="q" maxlength="20" placeholder="Search">
      <input type="hidden" name="sitesearch" value="https://anttu.gitee.io/">
      <button type="submit" class="submit icon-search"></button>
</form>
    </section>
    
    <section class="widget">
        <h3 class="widget-title">最近文章</h3>
<ul class="widget-list">
    
    <li>
        <a href="https://anttu.gitee.io/post/2025-02-13-mvnd/" title="mvnd结合idea使用" target="_blank">mvnd结合idea使用</a>
    </li>
    
    <li>
        <a href="https://anttu.gitee.io/post/2024-04-15-postgresql/" title="postgresql数据库常用记录" target="_blank">postgresql数据库常用记录</a>
    </li>
    
    <li>
        <a href="https://anttu.gitee.io/post/2023-06-16-miner_virus_5/" title="挖矿病毒5-私有云机房挖矿病毒定位" target="_blank">挖矿病毒5-私有云机房挖矿病毒定位</a>
    </li>
    
    <li>
        <a href="https://anttu.gitee.io/post/2022-12-26-covid-19/" title="羊了" target="_blank">羊了</a>
    </li>
    
    <li>
        <a href="https://anttu.gitee.io/post/2022-12-19-git_delete_history/" title="git删除历史提交记录" target="_blank">git删除历史提交记录</a>
    </li>
    
    <li>
        <a href="https://anttu.gitee.io/post/2022-11-28-python_muilt_version/" title="python多版本管理工具" target="_blank">python多版本管理工具</a>
    </li>
    
    <li>
        <a href="https://anttu.gitee.io/post/2022-11-22-springboot_start_failed/" title="springboot常见兼容性错误" target="_blank">springboot常见兼容性错误</a>
    </li>
    
    <li>
        <a href="https://anttu.gitee.io/post/2022-11-14-docker_port/" title="docker修改运行的容器端口" target="_blank">docker修改运行的容器端口</a>
    </li>
    
    <li>
        <a href="https://anttu.gitee.io/post/2022-11-10-go_muilt_version/" title="go多版本管理工具" target="_blank">go多版本管理工具</a>
    </li>
    
    <li>
        <a href="https://anttu.gitee.io/post/2022-10-27-jenkins_reset/" title="jenkins的admin密码忘记了如何重置" target="_blank">jenkins的admin密码忘记了如何重置</a>
    </li>
    
</ul>
    </section>

    

    <section class="widget">
        <h3 class="widget-title"><a href='/categories/'>分类</a></h3>
<ul class="widget-list">
    
    <li><a href="https://anttu.gitee.io/categories/about/">about (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/android/">android (2)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/app/">app (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/aria2/">aria2 (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/arm64/">arm64 (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/arthas/">arthas (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/awr/">awr (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/backend_execute/">backend_execute (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/backup/">backup (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/blog/">blog (3)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/bug/">bug (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/build/">build (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/cache/">cache (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/caffeine/">caffeine (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/captcha/">captcha (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/check/">check (5)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/clean/">clean (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/cli/">cli (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/cluster/">cluster (4)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/covid-19/">covid-19 (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/cve/">cve (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/cygwin/">cygwin (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/dataguard/">dataguard (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/db/">db (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/deepfacelab/">deepfacelab (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/devops/">devops (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/docker/">docker (5)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/dockerfile/">dockerfile (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/dos/">dos (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/dump/">dump (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/eclipse/">eclipse (2)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/explain/">explain (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/faker/">faker (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/gcc/">gcc (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/git/">git (2)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/gitment/">gitment (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/gitpages/">gitpages (2)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/go/">go (5)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/h2/">h2 (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/h5/">h5 (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/ha/">ha (4)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/http/">http (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/hugo/">hugo (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/id/">id (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/idea/">idea (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/java/">java (24)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/jekyll/">jekyll (2)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/jenkins/">jenkins (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/jrebel/">jrebel (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/js/">js (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/jsr/">jsr (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/jvm/">jvm (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/kafka/">kafka (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/kali/">kali (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/kenlm/">kenlm (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/linux/">linux (22)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/log/">log (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/log4j/">log4j (2)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/lombok/">lombok (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/mac/">mac (5)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/matplotlib/">matplotlib (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/maven/">maven (3)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/mine/">mine (5)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/mongodb/">mongodb (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/mvnd/">mvnd (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/mysql/">mysql (5)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/nginx/">nginx (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/nmap/">nmap (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/oom/">oom (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/oracle/">oracle (3)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/orangePi/">orangePi (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/package/">package (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/pandas/">pandas (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/pg/">pg (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/port/">port (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/postgresql/">postgresql (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/python/">python (8)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/rec/">rec (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/redis/">redis (3)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/regexp/">regexp (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/safe/">safe (5)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/sdk/">sdk (3)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/shell/">shell (3)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/split/">split (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/springboot/">springboot (4)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/springcloud/">springcloud (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/sqlmap/">sqlmap (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/ssd/">ssd (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/tcp/">tcp (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/termux/">termux (2)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/test/">test (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/testing/">testing (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/union_id/">union_id (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/vcs/">vcs (7)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/virus/">virus (5)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/vxvm/">vxvm (3)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/win10/">win10 (6)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/xrebel/">xrebel (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/ynote/">ynote (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/zk/">zk (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/zookeeper/">zookeeper (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/%E5%89%8D%E7%AB%AF/">前端 (1)</a></li>
    
    <li><a href="https://anttu.gitee.io/categories/%E5%AE%B9%E7%81%BE/">容灾 (1)</a></li>
    
</ul>
    </section>

    <section class="widget">
        <h3 class="widget-title"><a href='/tags/'>标签</a></h3>
<div class="tagcloud">
    
    <a href="https://anttu.gitee.io/tags/about/">about</a>
    
    <a href="https://anttu.gitee.io/tags/android/">android</a>
    
    <a href="https://anttu.gitee.io/tags/app/">app</a>
    
    <a href="https://anttu.gitee.io/tags/aria2/">aria2</a>
    
    <a href="https://anttu.gitee.io/tags/arm64/">arm64</a>
    
    <a href="https://anttu.gitee.io/tags/awr/">awr</a>
    
    <a href="https://anttu.gitee.io/tags/backup/">backup</a>
    
    <a href="https://anttu.gitee.io/tags/blog/">blog</a>
    
    <a href="https://anttu.gitee.io/tags/bug/">bug</a>
    
    <a href="https://anttu.gitee.io/tags/build/">build</a>
    
    <a href="https://anttu.gitee.io/tags/captcha/">captcha</a>
    
    <a href="https://anttu.gitee.io/tags/check/">check</a>
    
    <a href="https://anttu.gitee.io/tags/cluster/">cluster</a>
    
    <a href="https://anttu.gitee.io/tags/cygwin/">cygwin</a>
    
    <a href="https://anttu.gitee.io/tags/dataguard/">dataguard</a>
    
    <a href="https://anttu.gitee.io/tags/deepfacelab/">deepfacelab</a>
    
    <a href="https://anttu.gitee.io/tags/dos/">dos</a>
    
    <a href="https://anttu.gitee.io/tags/eclipse/">eclipse</a>
    
    <a href="https://anttu.gitee.io/tags/explain/">explain</a>
    
    <a href="https://anttu.gitee.io/tags/gcc/">gcc</a>
    
    <a href="https://anttu.gitee.io/tags/gitment/">gitment</a>
    
    <a href="https://anttu.gitee.io/tags/gitpages/">gitpages</a>
    
    <a href="https://anttu.gitee.io/tags/go/">go</a>
    
    <a href="https://anttu.gitee.io/tags/h2/">h2</a>
    
    <a href="https://anttu.gitee.io/tags/h5/">h5</a>
    
    <a href="https://anttu.gitee.io/tags/ha/">ha</a>
    
    <a href="https://anttu.gitee.io/tags/http/">http</a>
    
    <a href="https://anttu.gitee.io/tags/hugo/">hugo</a>
    
    <a href="https://anttu.gitee.io/tags/java/">java</a>
    
    <a href="https://anttu.gitee.io/tags/jekyll/">jekyll</a>
    
    <a href="https://anttu.gitee.io/tags/jrebel/">jrebel</a>
    
    <a href="https://anttu.gitee.io/tags/js/">js</a>
    
    <a href="https://anttu.gitee.io/tags/jsr/">jsr</a>
    
    <a href="https://anttu.gitee.io/tags/kafka/">kafka</a>
    
    <a href="https://anttu.gitee.io/tags/kali/">kali</a>
    
    <a href="https://anttu.gitee.io/tags/kenlm/">kenlm</a>
    
    <a href="https://anttu.gitee.io/tags/linux/">linux</a>
    
    <a href="https://anttu.gitee.io/tags/log4j/">log4j</a>
    
    <a href="https://anttu.gitee.io/tags/mac/">mac</a>
    
    <a href="https://anttu.gitee.io/tags/mine/">mine</a>
    
    <a href="https://anttu.gitee.io/tags/mongodb/">mongodb</a>
    
    <a href="https://anttu.gitee.io/tags/mysql/">mysql</a>
    
    <a href="https://anttu.gitee.io/tags/nginx/">nginx</a>
    
    <a href="https://anttu.gitee.io/tags/oom/">oom</a>
    
    <a href="https://anttu.gitee.io/tags/oracle/">oracle</a>
    
    <a href="https://anttu.gitee.io/tags/orangePi/">orangePi</a>
    
    <a href="https://anttu.gitee.io/tags/python/">python</a>
    
    <a href="https://anttu.gitee.io/tags/rec/">rec</a>
    
    <a href="https://anttu.gitee.io/tags/redis/">redis</a>
    
    <a href="https://anttu.gitee.io/tags/safe/">safe</a>
    
    <a href="https://anttu.gitee.io/tags/shell/">shell</a>
    
    <a href="https://anttu.gitee.io/tags/springboot/">springboot</a>
    
    <a href="https://anttu.gitee.io/tags/sqlmap/">sqlmap</a>
    
    <a href="https://anttu.gitee.io/tags/ssd/">ssd</a>
    
    <a href="https://anttu.gitee.io/tags/tcp/">tcp</a>
    
    <a href="https://anttu.gitee.io/tags/termux/">termux</a>
    
    <a href="https://anttu.gitee.io/tags/union_id/">union_id</a>
    
    <a href="https://anttu.gitee.io/tags/vcs/">vcs</a>
    
    <a href="https://anttu.gitee.io/tags/virus/">virus</a>
    
    <a href="https://anttu.gitee.io/tags/vxvm/">vxvm</a>
    
    <a href="https://anttu.gitee.io/tags/win10/">win10</a>
    
    <a href="https://anttu.gitee.io/tags/xrebel/">xrebel</a>
    
    <a href="https://anttu.gitee.io/tags/ynote/">ynote</a>
    
    <a href="https://anttu.gitee.io/tags/zk/">zk</a>
    
    <a href="https://anttu.gitee.io/tags/zookeeper/">zookeeper</a>
    
    <a href="https://anttu.gitee.io/tags/%E5%AE%B9%E7%81%BE/">容灾</a>
    
</div>
    </section>

    

    <section class="widget">
        <h3 class="widget-title">其它</h3>
        <ul class="widget-list">
            <li><a href="https://anttu.gitee.io/index.xml">文章 RSS</a></li>
        </ul>
    </section>
</div>
            </div>
        </div>
    </div>
</body>

</html>